Privacy Policies for Small Businesses

Privacy Policies for Small Businesses

Privacy laws do not exempt businesses from protecting customers' privacy just because they are small. As a small business, you are just as responsible for any breaches or mishandling of data as a billion dollar multinational corporation would be.

Fortunately, a Privacy Policy is easy to draft and offers a number of advantages for your small business.

This guide explains why you need a Privacy Policy and how to draft and display one for your customers.

Why you need a Privacy Policy

There are two reasons even small businesses require a Privacy Policy.

First, they are legally required.

Secondly, they protect you from liability.

Required by law

If purchasing your product or service requires customers to give you personally identifiable information, you are required to post a Privacy Policy on your website or make one available at your office or storefront.

Personally identifiable information is the universal description of any information that can be used to identify, contact or locate an individual. It includes but isn't limited to the following:

  • Full names
  • Dates of birth
  • Physical addresses
  • Any type of national identification number
  • IP addresses (if tracked)
  • Telephone number
  • Screen names or handles
  • Email address
  • Credit card numbers

The requirement for a Privacy Policy is a worldwide one. Only the United States does not have a federal privacy protection law. However, the state of California has its own law known as CalOPPA. Since California is such a large populated state, it is safer to assume that you must abide by the California law if you transact business in the United States. This, in effect, works to cover most American businesses and businesses that transact with American citizens.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your website. Just follow these steps:

  1. Click on the "Privacy Policy Generator" button.
  2. At Step 1, select the Website option and click "Next step":
  3. TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  4. Answer the questions about your website and click "Next step" when finished:
  5. TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  6. Answer the questions about your business practices and click "Next step" when finished:
  7. TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  8. Enter your email address where you'd like your policy sent, select translation versions and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.

Current laws requiring a Privacy Policy include:

  • California Online Privacy Protection Act (CalOPPA): Requires a Privacy Policy that's posted in a conspicuous place and that describes how you collect information, what data you request, and how customers can change inaccurate data.
  • Personal Information Protection and Electronic Documents Act (PIPEDA): The Canadian privacy law requires Canadian businesses to secure consent before collecting personal information. These processes must be outlined in your Privacy Policy in plain language.
  • Australia Privacy Act: This act addresses information privacy with 11 principles. They address issues like the collection of information, requesting it, and access to records. There are also limited allowable uses for the information and if your Privacy Policy is open and transparent, you will likely meet the standards in this act.
  • Data Protection Act (DPA): The UK law for privacy protection advances eight principles for data collection including a legitimate reason for needing it, protecting users, and the principles in a Privacy Policy.

Even if you do not believe a country's law applies to you, it is still a good idea to create a Privacy Policy. Informing customers of the type of information you collect and how you use it protects you from liability if a customer claims you handled their data incorrectly.

Protection from liability

Small businesses have the most to lose from poor data practices. You can handle data in a way consistent with local laws and your internal policies, but if a customer interprets that as mishandling, you may face liability or at least an expensive and time-consuming legal battle to fight the claim.

A Privacy Policy explains your policies for handling information and distinguishes prohibited actions from allowed ones. Also, if a customer authorizes your procedures by accepting the Privacy Policy, they will not have a cause of action against you. Their acceptance authorizes your data practices and as long as you continue as you stated in your Privacy Policy, you enjoy legal protection even if a customer suddenly decides they do not approve of how you handle their data.

Drafting Your Privacy Policy

These basic provisions help you remain in compliance with current privacy laws. In addition to crafting a good agreement, you also have to make it available to your customers and assure they accept the terms.

Use the TermsFeed Privacy Policy generator to create your own Privacy Policy in just minutes.

Required provisions

Start with these provisions when drafting your complete Privacy Policy.

Information collected

Almost all Privacy Policies start with a description of the data collected. You can make this a list, like telling customers you will collect names, addresses, email address, and payment information, or you may offer general categories.

It is better to be overly specific in this section rather than vague. If you only collect the personal data you require and nothing extra, it should be easy to draft.

Workable is a recruiting software resource firm that offers general templates, including those for data collection. In this template, it offers this broader statement describing information you may gather from customers that you may want to customize for your business:


ABC Financial is a small business that collects membership dues for a local fitness studio, Muv Fitness. Its Privacy Policy is available on the Muv Fitness website. It is specific about the information it collects and why it does so:

ABC Financial

Notice the use of plain language. When it comes to explaining to customers what type of data you require and request, keeping things simple is the best course of action.

How it is collected

The provisions regarding how you collect information may be included with the type of information or in its own section. ABC Financial takes the first approach and informs customers that they will be aware of information collection because they are the ones submitting it.

However, if you support online signup or shopping on your website, you may use tracking technology to understand customer patterns. This must be indicated in your Privacy Policy if it's taking place.

Workable, in its own Privacy Policy, addresses this issue as an online company. Your small business will likely handle automatic data collection in the same way:


When you draft this section, include all data collection efforts in place including online tracking software. Failure to inform customers of that is a violation of privacy laws in some jurisdictions, especially in the European Union.

Information you share or disclose

Most companies share or disclose information to affiliates or as a matter of legal process. Affiliates are held to the same Privacy Policy. Legal process involves government requests for information. For example, if one of your customers faces criminal charges and the police want his purchase records, you would disclose information as legal process requires it.

Cover all of these issues in your section on sharing and disclosure, including when a customer consents. This is how ABC Financial handles disclosure:

ABC Financial

If you have affiliate companies that may use the information you collect, specifically mention the affiliates or third parties.

How customers can update information

Being able to access and update personal data is an important right granted to consumers under current privacy laws. In your Privacy Policy, you must not only communicate this right but also tell customers how they can view and correct the personal information you keep on file.

This is as simple as stating that you allow access to information by consumers and giving them contact information to make corrections. ABC Financial addresses this briefly in its Privacy Policy:

ABC Financial

The important part is that you allow the access and correction--not how you do it. Providing a telephone number works but so does online account access or electronic forms. Do what is easiest for you to receive corrections of data and enact them.

Data protection measures

Telling consumers how you protect data is required in laws like the UK's Data Protection Act. It is also reassurance and forms an agreement between you and your users that data stays safe.

The Workable template defines general duties and its commitment to them:


If you have a specific way to assure data security, like SSL encryption, mention it specifically. This is what ABC Financial does:

ABC Financial

When you place these provisions in your Privacy Policy, you should also have a data management plan to back them up and execute what you say you're doing. You may wish to study privacy by design strategies that help you with information security so you do not risk liability from data breaches.

Opt-out procedures

Many countries have laws restricting unsolicited email or spam. You are required to give customers the chance to opt out of these communications and failure to do so could result in civil liability and fines.

It is also simply a nice thing to do. If a customer made one purchase and no longer wants promotions from you, offering a procedure to make this request helps your goodwill. While you may consider the promotions a money-making effort, being respectful towards customers also helps you gain in your market.

The opt-out procedures for reducing spam or refusing promotions should be in your Privacy Policy. Offer a telephone number or email address where customers can contact you to opt out of these communications.

Updates and notification

It is very likely you will update your Privacy Policy as laws change and you gain more experience in your business transactions. In order to avoid catching customers off-guard, articulate this right in your Privacy Policy.

ABC Financial mentions its Privacy Policy can change and any changes will be announced on its homepage:

ABC Financial

Notice requirements for changes are helpful. You can do this through email, banner ads or announcement text on the top of your Privacy Policy.

Here's how Twitter let users know that its Privacy Policy was being updated and changed.

Twitter Privacy Policy Update Notification

Making it accessible to customers

Making your Privacy Policy available online is a reasonable practice even if your website exists for marketing exposure only. Even if a customer must visit your place of business to turn over personal information and buy your product or service, making your Privacy Policy as visible as possible works to your legal advantage. You can provide a hard copy of the policy as well when your customer visits your storefront.

Start by creating a link at the bottom of your signup page. The ABC Financial Privacy Policy is linked to the signup page at Muv Fitness, since it exists to collect dues for that facility:

Muv Fitness Privacy Policy link in website footer

Another idea is to provide a link and a chance to accept the Privacy Policy at checkout. This method is referred to as clickwrap and it helps ensure your terms are legally accepted by your users. This example from Memebox shows you how you can do this:

Example of clickwrap from Memebox during checkout: Account is required and by signing up you agree to Terms & Conditions and Privacy Policy

Drafting tips

When you draft your Privacy Policy, keep these four tips in mind:

  • Never ask for more information than is necessary. If you do not require a customer's date of birth to provide services, do not ask for it. The less personal data you collect the less work you need to perform to keep it safe and track it.
  • Write in plain language. Consumers are becoming more savvy about the data they share and how companies use it. Writing a vague or unnecessarily complex Privacy Policy puts them on alert and they will be less likely to do business with you. Use plain language and consider experimenting with other structures, like a FAQ or adding a table of contents.
  • Customize to your business. A fitness studio collects different data than an accounting firm. You can start with a template or a borrowed Privacy Policy, but make it relevant to your business and the information you collect.
  • Implement good information practices. Privacy by design helps small businesses, too. A Privacy Policy gives you a good foundation and strengthens relationships with your customers, but that will mean nothing if you fail to instill the right security and virus protection for your systems.

Small businesses have more to lose if data breaches or customer misunderstandings arise. A well-drafted Privacy Policy is a good start to handling your customer's personal data well and will help you enact better information protection practices.

Jocelyn M.

Jocelyn M.

Former civil litigation attorney. Content legal strategist.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.